lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YjIeff7ESJB/amYA@agluck-desk3.sc.intel.com>
Date:   Wed, 16 Mar 2022 10:29:33 -0700
From:   "Luck, Tony" <tony.luck@...el.com>
To:     Shuai Xue <xueshuai@...ux.alibaba.com>
Cc:     "rjw@...ysocki.net" <rjw@...ysocki.net>,
        "lenb@...nel.org" <lenb@...nel.org>,
        "james.morse@....com" <james.morse@....com>,
        "bp@...en8.de" <bp@...en8.de>,
        "linux-acpi@...r.kernel.org" <linux-acpi@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        graeme.gregory@...aro.org, will.deacon@....com,
        myron.stowe@...hat.com, len.brown@...el.com, ying.huang@...el.com
Subject: Re: [BUG] kernel side can NOT trigger memory error with einj

On Tue, Mar 08, 2022 at 01:19:12PM +0800, Shuai Xue wrote:
> Hi folks,
> 
> If we inject an memory error at physical memory address, e.g. 0x92f033038,
> used by a user space process:
> 
> 	echo 0x92f033038 > /sys/kernel/debug/apei/einj/param1
> 	echo 0xfffffffffffff000 > /sys/kernel/debug/apei/einj/param2
> 	echo 0x1 > /sys/kernel/debug/apei/einj/flags
> 	echo 0x8 > /sys/kernel/debug/apei/einj/error_type
> 	echo 1 > /sys/kernel/debug/apei/einj/error_inject
> 
> Then the following error will be reported in dmesg:
> 
>     ACPI: [Firmware Bug]: requested region covers kernel memory @ 0x000000092f033038
> 
> After digging into einj trigger interface, I think it's a kernel bug.

I think you are right. This isn't the first bug where Linux tries
to validate addresses supplied by EINJ for Linux to read/write.

I hadn't come across it because I almost always set:

# echo 1 > notrigger

so that I can have some application, or function in the kernel
trigger the error. Instead of running the EINJ trigger action
to make it happen right away.

> I am wondering that should we use kmap to map RAM in acpi_map or add a
> another path to address this issue? Any comment is welcomed.

Perhaps just drop the sanity checks? Just trusting the BIOS? Sounds
radical, but this is validation code where the user is deliberately
injecting errors. If there are BIOS bugs, then people doing validation
may be well positioned to find the BIOS people to make them fix
things.

Problem with this approach is that EINJ calls into the APEI code
that is used for other things besides error injection for validation.
So a blanket removal of sanity checks wouldn't be a good idea.

-Tony

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ